Thursday, September 19, 2019

auditing

  • What is an Audit Trail in IT Context?

Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications

the audit trail includes all or some of the following
Application-specific audit trail – ideally, each application records business-relevant events. They may be logged in text files or in separate database tables. They allow reconstructing the history much better than the arbitrary noisy logging that is usually in place
Application logs – this is a broader category as it includes logs that are not necessarily part of the audit trail (e.g. debug messages, exception stacktraces). Nevertheless, they may be useful, especially in case there is no dedicated application-specific audit trail functionality
Database logs – whether it is logged queries,  change data capture or change tracking functionality, or some native audit trail functionality
Operating system logs – for Linux that would include the /var/log/audit/audit.log (or similar files), /var/log/auth.log. For Windows it would include the Windows Event logs for the Security and System groups.
Access logs – access logs for web servers can be part of the audit trail especially for internal systems where a source IP address can more easily be mapped to particular users.
Network logs – network equipment (routers, firewalls) generate a lot of data that may be seen as part of the audit trail (although it may be very noisy)

All of these events can (and should) be collected in a central place where they can be searched, correlated and analyzed.

Once the audit trails is collected, it has two other very important properties:
    Availability – is the audit trail available at all times, and how far back in time can it be accessed (also referred to as “retention”). Typically application, system and network logs are kept for shorter periods of time (1 to 3 months), which is far from ideal for an audit trail. Many standards and regulation require higher retention periods of up to 2 years
    Integrity – data integrity is too often ignored. But if you can’t prove the integrity of your logs, both internally and to third parties (auditors, courts), then they are of no use.

A secure audit trail allows organizations to:
Identify that something wrong has happened
Prove what happened and who did it
Reconstruct the original data
Be compliant.

https://logsentinel.com/what-is-an-audit-trail-in-it-context/



  • Security Audit Logging Guideline

Regular log collection is critical to understanding the nature of security incidents during an active investigation and post mortem analysis.
Logs are also useful for establishing baselines, identifying operational trends and supporting the organization’s internal investigations, including audit and forensic analysis
Log events in an audit logging program should at minimum include:

    Operating System(OS) Events
        start up and shut down of the system
        start up and down of a service
        network connection changes or failures
        changes to, or attempts to change, system security settings and controls
    OS Audit Records
        log on attempts (successful or unsuccessful)
        the function(s) performed after logged on (e.g., reading or updating critical file, software installation)
        account changes (e.g., account creation and deletion, account privilege assignment)
        successful/failed use of privileged accounts
    Application Account Information
        successful and failed application authentication attempts
        application account changes (e.g., account creation and deletion, account privilege assignment)
        use of application privileges
    Application operations
        application startup and shutdown
        application failures
        major application configuration changes
        application transactions, for example,
            e-mail servers recording the sender, recipients, subject name, and attachment names for each e-mail
            Web servers recording each URL requested and the type of response provided by the server
            business applications recording which financial records were accessed by each user

The details logged for each event may vary widely, but at minimum each event should capture

    timestamp
    event, status, and/or error codes
    service/command/application name
    user or system account associated with an event
    Device used (e.g. source and destintation IPs, terminal session ID, web browser, etc)


https://security.berkeley.edu/security-audit-logging-guideline

  • a long line or a series of marks that have been left by someone or something

https://www.ldoceonline.com/dictionary/trail


  • A log is a recording of what happens on a system

https://en.wikipedia.org/wiki/Log_file

  • An audit trail is a recording of all user actions

https://en.wikipedia.org/wiki/Audit_trail


  • The logs show, in detail, the varied functions of the device or application, as well as when users log in or attempt to log in.

Logs are also known as audit records, audit travels, and event logs. Log management systems (LMS) can be used for a variety of functions, including:
collecting, centrally aggregating, storing and retaining, rotating, analyzing, and reporting logs.
The importance of these logs isn’t in the logging itself. Instead, it’s the analysis of these logs is what provides value.

SIEM, though, is a significant step beyond log management.
    Log management (LM), as previously described, which collects and stores log files from operating systems and applications, across various hosts and systems.
    Security event management (SEM), which focuses on real-time monitoring, correlating events, providing overarching console views, and customizing notifications.
    Security information management (SIM), which provides long-term storage, analysis, manipulation, and reporting on logs and security records.
    Security event correlation (SEC), which tracks and alerts designated administrators when a peculiar sequence of events occurs, such as three failed login attempts under the same user name on different machines.

Benefits of SIEM
Like log management, the goal of SIEM is security – and it is only as good as the data it accesses. But advantages of a SIEM approach are its real-time analysis and connecting disparate systems in order to unify the information in one console.

https://www.bmc.com/blogs/siem-vs-log-management-whats-the-difference/


  •  What is File Integrity Monitoring (FIM)?

 FIM solutions monitor file changes on servers, databases, network devices, directory servers, applications, cloud environments, virtual images and to alert you to unauthorized changes
 FIM helps you meet many regulatory compliance standards like PCI-DSS, NERC CIP, FISMA, SOX, NIST and HIPAA, as well as best practice frameworks like the CIS security benchmarks.

 File Change Detection
  File integrity monitoring, in its simplest sense, is about keeping track of change from an established baseline and alerting you to any unexpected change that may represent a security risk or a compromise in regulatory compliance.Whether it’s a phishing scam, DDoS attack, malware, ransomware or insider threat, your FIM solution should alert you right away anytime a cybercriminal is penetrating your system.

  Baseline Comparison
  In order to know which file changes are relevant to your security, you must first establish an authoritative data integrity baseline.File Integrity Manager will capture your system’s configuration baseline and deliver the “who, what and when” details of each relevant file change

  Automated Remediation
   Once your FIM solution flags a suspicious change from your established security baseline, it should provide immediate steps for remediation. Automated FIM solutions help you return to your baseline quickly. Advanced FIM products can also integrate with other security solutions like log management, vulnerability management and security configuration management (SCM), as well as your DevOps tools

 https://www.tripwire.com/solutions/file-integrity-and-change-monitoring/what-is-fim/
Verisys File Integrity Monitoring
https://www.ionx.co.uk/products/verisys
  • Auditing is used to answer the question "Who did what?" and possibly why. Logging is more focussed on what's happening.
  • syslog is a general logging daemon available for any application or the system to use for any reason. The audit daemon's job is to track specific activities or events to determine who did what and when.
  • Auditing often has legal requirements.

  • Auditing
Business level events
Information for users and clients
Who did what, when
Often required legally or by the client contract
Usually kept indefinitely or at least for legally specified period

Logging

Program level events
Information for developers and support
What happend, incl debug informations
Required for maintenance or debugging purposes
Often deleted after a short time